-
Notifications
You must be signed in to change notification settings - Fork 545
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update warning when users sign images by tag. (#2313)
* Update warning when users sign images by tag. See #2047. Signed-off-by: Zachary Newman <[email protected]> * Fix lots of docs Signed-off-by: Zachary Newman <[email protected]> * Add test cases for no-digest warning message Also explicitly check for Digest being set, rather than Tag not being set. This doesn't actually make a difference because name.ParseReference just throws away the tag in such cases (maybe a bug), but it does make the intent clearer. Signed-off-by: Zachary Newman <[email protected]> Signed-off-by: Zachary Newman <[email protected]>
- Loading branch information
Showing
11 changed files
with
231 additions
and
117 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,12 +8,19 @@ Try it out! | |
This signature mode relies on the Sigstore Public Good Instance, which is rapidly heading toward a GA release! | ||
We don't have a date yet, but follow along on the [GitHub project](https://github.com/orgs/sigstore/projects/5). | ||
|
||
The following examples use this image: | ||
|
||
```shell | ||
$ IMAGE=gcr.io/dlorenc-vmtest2/demo | ||
$ IMAGE_DIGEST=$IMAGE@sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36 | ||
``` | ||
|
||
## Usage | ||
|
||
Keyless signing: | ||
|
||
```shell | ||
$ COSIGN_EXPERIMENTAL=1 cosign sign gcr.io/dlorenc-vmtest2/demo | ||
$ COSIGN_EXPERIMENTAL=1 cosign sign $IMAGE_DIGEST | ||
Generating ephemeral keys... | ||
Retrieving signed certificate... | ||
Your browser will now be opened to: | ||
|
@@ -24,7 +31,7 @@ Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-97fc222cee7991b5b061d4d | |
Keyless verifying: | ||
|
||
```shell | ||
$ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/dlorenc-vmtest2/demo | ||
$ COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE | ||
The following checks were performed on all of these signatures: | ||
- The cosign claims were validated | ||
- The claims were present in the transparency log | ||
|
@@ -73,21 +80,18 @@ and producing an identity token. Currently this supports Google and GitHub. | |
From a GCE VM, you can use the VM's service account identity to sign an image: | ||
|
||
```shell | ||
$ cosign sign --identity-token=$( | ||
gcloud auth print-identity-token \ | ||
--audiences=sigstore) \ | ||
gcr.io/dlorenc-vmtest2/demo | ||
$ IDENTITY_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore) | ||
$ cosign sign --identity-token=$IDENTITY_TOKEN $IMAGE_DIGEST | ||
``` | ||
|
||
From outside a GCE VM, you can impersonate a GCP IAM service account to sign an image: | ||
|
||
```shell | ||
$ cosign sign --identity-token=$( | ||
gcloud auth print-identity-token \ | ||
$ IDENTITY_TOKEN=$(gcloud auth print-identity-token \ | ||
--audiences=sigstore \ | ||
--include-email \ | ||
--impersonate-service-account [email protected]) \ | ||
gcr.io/dlorenc-vmtest2/demo | ||
--impersonate-service-account [email protected]) | ||
$ cosign sign --identity-token=$IDENTITY_TOKEN $IMAGE_DIGEST | ||
``` | ||
|
||
In order to impersonate an IAM service account, your account must have the | ||
|
@@ -138,7 +142,7 @@ To use this instance, follow the steps below: | |
1. `gsutil cp -r gs://tuf-root-staging/root.json .` | ||
1. `cd tuf-root-staging` | ||
1. `cosign initialize --mirror=tuf-root-staging --root=root.json` | ||
1. `COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.sigstage.dev/auth" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" ${IMAGE}` | ||
1. `COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.sigstage.dev/auth" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" ${IMAGE_DIGEST}` | ||
1. `COSIGN_EXPERIMENTAL=1 cosign verify --rekor-url "https://rekor.sigstage.dev" ${IMAGE}` | ||
|
||
* Steps 1-4 configures your local environment to use the staging keys and certificates. | ||
|
@@ -157,10 +161,10 @@ We need to clear the local TUF root data and re-initialize with the default prod | |
If you're running your own sigstore services flags are available to set your own endpoint's, e.g | ||
|
||
``` | ||
COSIGN_EXPERIMENTAL=1 go run cmd/cosign/main.go sign -oidc-issuer "https://oauth2.example.com/auth" \ | ||
COSIGN_EXPERIMENTAL=1 cosign sign -oidc-issuer "https://oauth2.example.com/auth" \ | ||
-fulcio-url "https://fulcio.example.com" \ | ||
-rekor-url "https://rekor.example.com" \ | ||
ghcr.io/jdoe/somerepo/testcosign | ||
$IMAGE_DIGEST | ||
``` | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.